US20090204980A1 - Method for implementing ejection-safe API interception - Google Patents
Method for implementing ejection-safe API interception Download PDFInfo
- Publication number
- US20090204980A1 US20090204980A1 US12/029,402 US2940208A US2009204980A1 US 20090204980 A1 US20090204980 A1 US 20090204980A1 US 2940208 A US2940208 A US 2940208A US 2009204980 A1 US2009204980 A1 US 2009204980A1
- Authority
- US
- United States
- Prior art keywords
- api
- dll
- target computer
- application
- computer process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000008569 process Effects 0.000 claims abstract description 36
- 230000015654 memory Effects 0.000 claims abstract description 15
- 238000001914 filtration Methods 0.000 claims abstract description 5
- 230000004044 response Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 description 27
- 238000004590 computer program Methods 0.000 description 8
- 238000013459 approach Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000002085 persistent effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4812—Task transfer initiation or dispatching by interrupt, e.g. masked
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/48—Indexing scheme relating to G06F9/48
- G06F2209/481—Exception handling
Definitions
- the present invention relates to methods for ejecting (e.g., unloading) dynamic link libraries (DLLs) containing one or more computer program execution stream modifications (e.g., application programming interface (API) hooks) from a computer system without causing a target application of the hooks to crash.
- DLLs dynamic link libraries
- API hooks application programming interface
- Modern computer systems function under the control of an operating system—a set of computer-readable instructions that control low level functions within the computer system (for example, memory allocation, input and output distribution, interrupt processing and job scheduling).
- an operating system for personal computers is Microsoft's WindowsTM family of operating systems. Although critical to the operation of the computer system, much (if not most) of the operating system's functioning is hidden from users of the computer system, who instead tend to interact with application programs to perform tasks such as composing documents or sending and receiving e-mail, etc.
- Application programs are generally what a user thinks of when he or she thinks of a computer program. That is, a set of computer-readable instructions that allow the computer system to perform a specific task, such as word processing or the like. Application programs make use of operating systems to manipulate the resources of the computer system in desired ways to carry out these tasks. In doing so, the application program makes requests of the operating system functions through an application programming interface (API). When an application makes such a request, it is said to issue a “call” for the desired function.
- API application programming interface
- the API defines how the application program must present its request (or call) for the desired service and the information (or “arguments”) that must be provided to the operating system in order for the request to be carried out.
- Modern application programs include literally thousands of calls for things such as displaying characters on the screen of a computer system, and reading and writing information from/to the computer system's memory.
- the operating system returns control to the application program (and, in some cases, may also return a value for further processing by the application program).
- API hooking is a programming technique that can be employed to carry out these tasks.
- So-called “hooks” are examples of computer program execution stream modifications that can be used to redirect a set of computer-readable instructions from its customary path (e.g., to a replacement function). This replacement function typically will perform some manipulation of the arguments passed as part of the call before transferring control back to the called API. Likewise, the replacement function can be used to manipulate results returned from the called API before passing them back to the application program.
- API hooking allows for monitoring and/or interception of calls for services made by an application program during its execution.
- API hooks can be introduced in a variety of ways, either at the source of the call (i.e., the application program) or the target thereof (e.g., the operating system process being called).
- a particularly powerful method of API hooking involves injecting a dynamic link library (DLL) into the address space of the target program and patching the API with a branch (i.e., JMP) instruction.
- DLL dynamic link library
- JMP branch
- a DLL is a file containing executable instructions (in the form of subroutines and functions) that can be loaded and executed by a computer program while that program is running.
- the JMP instruction is simply a mechanism by which to transfer program control to a desired point in an instruction stream.
- calls from an application program 10 to the intercepted API 12 are redirected by a hook stub 14 to a hook function 16 inside the injected DLL.
- the hook function 16 can then perform the desired manipulation (e.g., such as inspection or modification of arguments) before, after, and in some cases instead of passing control to the original API 12 .
- the hook stub 14 is used is to prepare the stack frame (a portion of a call stack for the computer system—the call stack is used to keep track of the point to which each request for services should return when the request has been completed) and to keep a reference count of the number of concurrent threads (individual program flows) running inside the hook function 16 .
- This sort of API interception can be used with both on-demand software (software applications that are used on an as-needed basis but which are not installed on the subject computer system) and persistent software (software applications installed on the subject computer system), to control the behavior of application programs and provide additional context information concerning same. Nevertheless, a technical challenge is introduced when an on-demand application is terminated, or a persistent software application is uninstalled, and that application needs to clean up its DLLs from the subject computer system.
- the Windows operating system prevents an injected DLL (containing hook functions) from being deleted until it is ejected from the address space of all applications. But, hook functions such as those described above typically chain to the original APIs that can block execution for prolonged periods of time. Hence, as shown in FIG. 2 , ejecting the DLL (and the associated hook function) from the address space of the target program would result in a crash (i.e., an exception) when the call returns back into the unloaded DLL code (a situation represented by the dashed lines).
- ejection of the “hooking DLL” may take place at an appointed time or when an application program that performed the initial injection of the subject DLL (a so-called controlling application) terminates. Or, there may be other scenarios that arise that lead to explicit ejection of the subject DLL or a self-ejection thereof. Hence, what is needed is a technique for safely ejecting a DLL containing one or more API hooks in such situations.
- Still further embodiments of the present invention provide for injecting a DLL that includes an API hook into the address space of a target computer process called by an application program.
- a controlling application program responsible for injecting the DLL Upon termination of a controlling application program responsible for injecting the DLL, storing computer-readable instructions describing a process for filtering exceptions returned from the target computer process in memory locations accessible to the target computer process and ejecting the DLL.
- FIG. 1 illustrates an example of the flow between various software components of an API interception scheme
- FIG. 2 illustrates a situation where a DLL containing a hook function is prematurely removed from the program flow illustrated in FIG. 1 , which can lead to an exception condition for the target program;
- FIG. 3 is a portion of a computer program listing illustrating the use of an exception handler to manage a return from a called API when a DLL containing a hook function is ejected from the address space of the target application prior to such return;
- FIG. 4 is a program flow diagram illustrates the use of an exception handler as a means for managing a return from a called API when a DLL containing a hook function is ejected from the address space of the target application prior to such return;
- FIG. 5 shows the result of the program flow after the subject DLL has been safely ejected.
- Described herein are methods for safely ejecting DLLs containing API hooks from a computer system when an application program is terminated or uninstalled, without causing a target application of the hooks to crash.
- terms such as software, programs, routines, applications, scripts and the like, as used herein, are meant to encompass any series of logical steps (described in a computer-readable language) performed in a sequence to accomplish a given purpose.
- a second approach is to modify the hook function to chain to the original API code by jumping into that code (rather than calling into it), leaving the stack frame exactly as it was when the hook function was entered. This allows the API to return directly to the original calling application program, skipping the injected DLL altogether. Since the DLL is no longer in use, it can be safely ejected and deleted from the subject computer system without creating a risk of an application crash. While this approach is viable in some cases, it is not suitable for situations where the hook function needs to examine the value of parameters returned by the original API.
- a third solution is to terminate the injected application, allowing for proper cleanup of the injected DLL. This creates a usability problem and is not viable for system services that must remain running (or the Windows desktop process).
- a forth solution allows safe ejection without compromising on-demand functionality or usability.
- This solution takes advantage of an operating system's structured exception handling (SEH) mechanism, which allow an application to recover from critical failures and resume execution from a “good” location.
- SEH structured exception handling
- the compiler along with the operating system unwind the stack and call the destructors for any C++ objects that were constructed prior to the exception being triggered.
- FIG. 3 presents a portion of a computer program that illustrates the use of SEH in accordance with an embodiment of the present invention.
- exception handling mechanisms may be used; for example, vectored exception handling may be used with the Windows operating system.
- the computer process ( 18 ) presented in FIG. 3 simulates the flow of execution when a call to an intercepted API is issued by an application.
- an exception is thrown ( 20 ) to simulate a case where a DLL containing the hook function is unloaded from the target application's address space.
- the end result is that instead of crashing (as would have been the case if the try/except statement ( 22 ) was omitted), the application resumes execution correctly as shown in FIG. 4 .
- the exception filter ( 24 ) checks to see whether the exception occurred inside the memory addresses previously occupied by the hook DLL and, if so, passes control to the except section for handling. Otherwise, the exception originated from within the target API and the calling application is given the chance to handle it ( 26 ).
- FIG. 5 shows the result after the subject DLL has been safely ejected. Calls are made into the target API 12 and returned therefrom. Note that although not shown in the diagrams it is important to ensure that prior to the ejection, the Hook Function 16 is not executing at the time. Similarly, there should be no ejection if Hook Stub 14 is about to call the Hook Function 16 . Further, if the Hook Function 16 is to perform any post-processing or clean up after a call returns from the target API 12 , ejection should be postponed until that call returns.
- a DLL containing hook functions can be safely ejected as soon as the on-demand software is terminated or the persistent software is uninstalled, even when execution is blocked inside intercepted API calls.
- Other implementation options exist (e.g., per-process last chance exception handlers, hooking the Windows exception dispatcher, running the process under a debugger process), but these are all variations on the procedure presented above.
- methods for safely ejecting DLLs containing API hooks from a computer system when an application program is terminated or uninstalled, without causing a target application of the hooks to crash have been described.
Abstract
Description
- The present invention relates to methods for ejecting (e.g., unloading) dynamic link libraries (DLLs) containing one or more computer program execution stream modifications (e.g., application programming interface (API) hooks) from a computer system without causing a target application of the hooks to crash.
- Modern computer systems function under the control of an operating system—a set of computer-readable instructions that control low level functions within the computer system (for example, memory allocation, input and output distribution, interrupt processing and job scheduling). A well-known example of an operating system for personal computers is Microsoft's Windows™ family of operating systems. Although critical to the operation of the computer system, much (if not most) of the operating system's functioning is hidden from users of the computer system, who instead tend to interact with application programs to perform tasks such as composing documents or sending and receiving e-mail, etc.
- Application programs are generally what a user thinks of when he or she thinks of a computer program. That is, a set of computer-readable instructions that allow the computer system to perform a specific task, such as word processing or the like. Application programs make use of operating systems to manipulate the resources of the computer system in desired ways to carry out these tasks. In doing so, the application program makes requests of the operating system functions through an application programming interface (API). When an application makes such a request, it is said to issue a “call” for the desired function.
- The API defines how the application program must present its request (or call) for the desired service and the information (or “arguments”) that must be provided to the operating system in order for the request to be carried out. Modern application programs include literally thousands of calls for things such as displaying characters on the screen of a computer system, and reading and writing information from/to the computer system's memory. When the requested function has been completed, the operating system returns control to the application program (and, in some cases, may also return a value for further processing by the application program).
- Occasionally, it is desirable to change the manner in which a particular application program interacts with the operating system (or another target computer program of the application programs' requests), or to extend or monitor the behavior of the application program in some fashion. So-called “API hooking” is a programming technique that can be employed to carry out these tasks. So-called “hooks” are examples of computer program execution stream modifications that can be used to redirect a set of computer-readable instructions from its customary path (e.g., to a replacement function). This replacement function typically will perform some manipulation of the arguments passed as part of the call before transferring control back to the called API. Likewise, the replacement function can be used to manipulate results returned from the called API before passing them back to the application program. Thus, API hooking allows for monitoring and/or interception of calls for services made by an application program during its execution.
- API hooks can be introduced in a variety of ways, either at the source of the call (i.e., the application program) or the target thereof (e.g., the operating system process being called). A particularly powerful method of API hooking involves injecting a dynamic link library (DLL) into the address space of the target program and patching the API with a branch (i.e., JMP) instruction. A DLL is a file containing executable instructions (in the form of subroutines and functions) that can be loaded and executed by a computer program while that program is running. The JMP instruction is simply a mechanism by which to transfer program control to a desired point in an instruction stream.
- As shown in
FIG. 1 , when the above-described procedure is used, calls from anapplication program 10 to the interceptedAPI 12 are redirected by ahook stub 14 to ahook function 16 inside the injected DLL. Thehook function 16 can then perform the desired manipulation (e.g., such as inspection or modification of arguments) before, after, and in some cases instead of passing control to theoriginal API 12. Thehook stub 14 is used is to prepare the stack frame (a portion of a call stack for the computer system—the call stack is used to keep track of the point to which each request for services should return when the request has been completed) and to keep a reference count of the number of concurrent threads (individual program flows) running inside thehook function 16. - This sort of API interception can be used with both on-demand software (software applications that are used on an as-needed basis but which are not installed on the subject computer system) and persistent software (software applications installed on the subject computer system), to control the behavior of application programs and provide additional context information concerning same. Nevertheless, a technical challenge is introduced when an on-demand application is terminated, or a persistent software application is uninstalled, and that application needs to clean up its DLLs from the subject computer system. The Windows operating system prevents an injected DLL (containing hook functions) from being deleted until it is ejected from the address space of all applications. But, hook functions such as those described above typically chain to the original APIs that can block execution for prolonged periods of time. Hence, as shown in
FIG. 2 , ejecting the DLL (and the associated hook function) from the address space of the target program would result in a crash (i.e., an exception) when the call returns back into the unloaded DLL code (a situation represented by the dashed lines). - In addition to the above, ejection of the “hooking DLL” may take place at an appointed time or when an application program that performed the initial injection of the subject DLL (a so-called controlling application) terminates. Or, there may be other scenarios that arise that lead to explicit ejection of the subject DLL or a self-ejection thereof. Hence, what is needed is a technique for safely ejecting a DLL containing one or more API hooks in such situations.
- According to one embodiment of the present invention, in response to an exception returned from a called target computer process a determination is made as to whether or not the exception occurred within a memory space previously occupied by a DLL containing an API hook relating to the target computer process. If so, program control is passed to a designated exception handler. Otherwise, program control is returned to a calling application.
- In other embodiments of the invention, responsive to termination of a software application that made one or more calls to a target computer process via an API, computer-readable instructions describing a process for filtering exceptions returned from the target computer process are stored in memory locations accessible to the target computer process. Thereafter, a DLL containing API hooks for one or more of the calls is ejected from an address space of a target computer process.
- Still further embodiments of the present invention provide for injecting a DLL that includes an API hook into the address space of a target computer process called by an application program. Upon termination of a controlling application program responsible for injecting the DLL, storing computer-readable instructions describing a process for filtering exceptions returned from the target computer process in memory locations accessible to the target computer process and ejecting the DLL.
- The present invention is illustrated by way of example, and not limitation, in the figures of the accompanying drawings in which:
-
FIG. 1 illustrates an example of the flow between various software components of an API interception scheme; -
FIG. 2 illustrates a situation where a DLL containing a hook function is prematurely removed from the program flow illustrated inFIG. 1 , which can lead to an exception condition for the target program; -
FIG. 3 is a portion of a computer program listing illustrating the use of an exception handler to manage a return from a called API when a DLL containing a hook function is ejected from the address space of the target application prior to such return; -
FIG. 4 is a program flow diagram illustrates the use of an exception handler as a means for managing a return from a called API when a DLL containing a hook function is ejected from the address space of the target application prior to such return; and -
FIG. 5 shows the result of the program flow after the subject DLL has been safely ejected. - Described herein are methods for safely ejecting DLLs containing API hooks from a computer system when an application program is terminated or uninstalled, without causing a target application of the hooks to crash. In general, terms such as software, programs, routines, applications, scripts and the like, as used herein, are meant to encompass any series of logical steps (described in a computer-readable language) performed in a sequence to accomplish a given purpose. Although these methods will be described with reference to various illustrated embodiments thereof, readers should recognize that these illustrated embodiments are merely examples of the present invention. Hence, these examples should not be read as limiting the scope of the invention, which instead should be measured only in terms of the claims following this description.
- Several methods are available for managing the problems discussed above. For example, one may simply to leave the DLL injected even after the on-demand software is terminated. The downside of this approach is that it is impossible to delete the DLL while it is still loaded into the address space of running processes, which conflicts with the requirement of an on-demand application to leave no traces behind when it is terminated. This approach also creates complications when the on-demand software is again downloaded to the subject computer system, as it prevents overwriting the injected DLL with a newer version thereof.
- A second approach is to modify the hook function to chain to the original API code by jumping into that code (rather than calling into it), leaving the stack frame exactly as it was when the hook function was entered. This allows the API to return directly to the original calling application program, skipping the injected DLL altogether. Since the DLL is no longer in use, it can be safely ejected and deleted from the subject computer system without creating a risk of an application crash. While this approach is viable in some cases, it is not suitable for situations where the hook function needs to examine the value of parameters returned by the original API.
- A third solution is to terminate the injected application, allowing for proper cleanup of the injected DLL. This creates a usability problem and is not viable for system services that must remain running (or the Windows desktop process).
- A forth solution allows safe ejection without compromising on-demand functionality or usability. This solution takes advantage of an operating system's structured exception handling (SEH) mechanism, which allow an application to recover from critical failures and resume execution from a “good” location. As part of this process, the compiler along with the operating system unwind the stack and call the destructors for any C++ objects that were constructed prior to the exception being triggered.
FIG. 3 presents a portion of a computer program that illustrates the use of SEH in accordance with an embodiment of the present invention. Of course, other exception handling mechanisms may be used; for example, vectored exception handling may be used with the Windows operating system. - The computer process (18) presented in
FIG. 3 simulates the flow of execution when a call to an intercepted API is issued by an application. When the call to the target API returns back to the hook function, an exception is thrown (20) to simulate a case where a DLL containing the hook function is unloaded from the target application's address space. The end result is that instead of crashing (as would have been the case if the try/except statement (22) was omitted), the application resumes execution correctly as shown inFIG. 4 . - The exception filter (24) checks to see whether the exception occurred inside the memory addresses previously occupied by the hook DLL and, if so, passes control to the except section for handling. Otherwise, the exception originated from within the target API and the calling application is given the chance to handle it (26).
- As part of this solution, to avoid a second exception when the CPU passes control to the exception handler (28) and filter (26), those components will not be freed when the DLL is ejected. Instead, the exception handler and filter will be stored in a named virtual memory block that will be reused the next time hooks are set in the subject process. This is not a significant concern, inasmuch as the exception handler and filter consume only a small amount of virtual memory in each process' address space.
-
FIG. 5 shows the result after the subject DLL has been safely ejected. Calls are made into thetarget API 12 and returned therefrom. Note that although not shown in the diagrams it is important to ensure that prior to the ejection, theHook Function 16 is not executing at the time. Similarly, there should be no ejection ifHook Stub 14 is about to call theHook Function 16. Further, if theHook Function 16 is to perform any post-processing or clean up after a call returns from thetarget API 12, ejection should be postponed until that call returns. - Using this approach, a DLL containing hook functions can be safely ejected as soon as the on-demand software is terminated or the persistent software is uninstalled, even when execution is blocked inside intercepted API calls. Other implementation options exist (e.g., per-process last chance exception handlers, hooking the Windows exception dispatcher, running the process under a debugger process), but these are all variations on the procedure presented above. Thus, methods for safely ejecting DLLs containing API hooks from a computer system when an application program is terminated or uninstalled, without causing a target application of the hooks to crash have been described.
- Readers should recognize that various embodiments of the computer processes described herein may be implemented in any of a variety of computer programming languages, for execution by any form of computer system. These processes can be instantiated as a computer program stored in or on any form of computer-readable storage medium, such as, but not limited to, any type of disk (including floppy disks, optical disks, and magnetic-optical disks), memory (including read-only memories and random access memories), magnetic or optical cards, or any other type of media suitable for storing such instructions. The present invention is not limited to use with Windows-based systems but may also be used with any operating system that supports structured exception handling (e.g., Mac OS X, Linux, etc.).
Claims (3)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/029,402 US8255931B2 (en) | 2008-02-11 | 2008-02-11 | Method for implementing ejection-safe API interception |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/029,402 US8255931B2 (en) | 2008-02-11 | 2008-02-11 | Method for implementing ejection-safe API interception |
Publications (2)
Publication Number | Publication Date |
---|---|
US20090204980A1 true US20090204980A1 (en) | 2009-08-13 |
US8255931B2 US8255931B2 (en) | 2012-08-28 |
Family
ID=40940009
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/029,402 Active 2031-06-23 US8255931B2 (en) | 2008-02-11 | 2008-02-11 | Method for implementing ejection-safe API interception |
Country Status (1)
Country | Link |
---|---|
US (1) | US8255931B2 (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8286199B1 (en) * | 2008-08-22 | 2012-10-09 | SmartVault Corporation | Automated method for creating a graphical user interface for a document management system that is visually integrated with an application having limited native GUI-integration capabilities |
CN102841795A (en) * | 2011-06-24 | 2012-12-26 | 镇江华扬信息科技有限公司 | Remote thread injection technology method |
US8578486B2 (en) | 2010-06-18 | 2013-11-05 | Microsoft Corporation | Encrypted network traffic interception and inspection |
CN103902284A (en) * | 2014-03-07 | 2014-07-02 | 中国人民解放军装甲兵工程学院 | Data acquisition method and system based on dynamic library API interception |
CN104156481A (en) * | 2014-08-26 | 2014-11-19 | 北京软安科技有限公司 | Android encryption communication detection device and method based on dynamic linking library injection |
WO2014209359A1 (en) * | 2013-06-28 | 2014-12-31 | Hewlett-Packard Development Company, L.P. | Hook framework |
CN104956337A (en) * | 2013-01-31 | 2015-09-30 | 三菱电机株式会社 | Computer device and control method for computer device |
WO2016144304A1 (en) * | 2015-03-06 | 2016-09-15 | Hewlett Packard Enterprise Development Lp | Dynamic api management |
JP2017022751A (en) * | 2012-10-19 | 2017-01-26 | インテル・コーポレーション | Encrypted data inspection in network environment |
CN107103099A (en) * | 2017-05-26 | 2017-08-29 | 北京金山安全管理系统技术有限公司 | Main browser page return method and device |
CN107391219A (en) * | 2017-07-07 | 2017-11-24 | 腾讯科技(深圳)有限公司 | Function Compilation Method and device |
CN110221961A (en) * | 2019-04-26 | 2019-09-10 | 平安科技(深圳)有限公司 | Global hook self-repairing method, device, equipment and storage medium |
TWI739284B (en) * | 2020-01-20 | 2021-09-11 | 精品科技股份有限公司 | Console application control management method and system |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ES2439803B1 (en) * | 2012-04-19 | 2014-10-29 | Universitat Politècnica De Catalunya | Procedure, system and piece of executable code to control the use of hardware resources of a computer system |
CN103559450B (en) * | 2013-10-11 | 2016-01-13 | 南京邮电大学 | A kind of electronic tag data guard method based on kernel-driven Hook Technique |
CN105512015B (en) * | 2015-12-15 | 2018-09-04 | 北京奇虎科技有限公司 | A kind of Android intended application collapse statistical method and device |
CN105786524B (en) * | 2016-03-23 | 2019-03-12 | 福建正孚软件有限公司 | Software hooks setting method and device |
CN107741862A (en) * | 2016-08-24 | 2018-02-27 | 长沙博为软件技术股份有限公司 | A kind of data grab method of multipad striding course |
US10235161B2 (en) * | 2017-02-06 | 2019-03-19 | American Megatrends, Inc. | Techniques of adding security patches to embedded systems |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040250189A1 (en) * | 2003-06-04 | 2004-12-09 | Smith Frederick J. | Systems and methods for injecting an exception into a target thread |
US7055146B1 (en) * | 2001-03-08 | 2006-05-30 | Microsoft Corporation | Method and system for dynamically inserting modifications for identified programs |
US20060277539A1 (en) * | 2005-06-07 | 2006-12-07 | Massachusetts Institute Of Technology | Constraint injection system for immunizing software programs against vulnerabilities and attacks |
US20070214461A1 (en) * | 2005-06-08 | 2007-09-13 | Logitech Europe S.A. | System and method for transparently processing multimedia data |
US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
-
2008
- 2008-02-11 US US12/029,402 patent/US8255931B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7055146B1 (en) * | 2001-03-08 | 2006-05-30 | Microsoft Corporation | Method and system for dynamically inserting modifications for identified programs |
US20040250189A1 (en) * | 2003-06-04 | 2004-12-09 | Smith Frederick J. | Systems and methods for injecting an exception into a target thread |
US20060277539A1 (en) * | 2005-06-07 | 2006-12-07 | Massachusetts Institute Of Technology | Constraint injection system for immunizing software programs against vulnerabilities and attacks |
US20070214461A1 (en) * | 2005-06-08 | 2007-09-13 | Logitech Europe S.A. | System and method for transparently processing multimedia data |
US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8286199B1 (en) * | 2008-08-22 | 2012-10-09 | SmartVault Corporation | Automated method for creating a graphical user interface for a document management system that is visually integrated with an application having limited native GUI-integration capabilities |
US8578486B2 (en) | 2010-06-18 | 2013-11-05 | Microsoft Corporation | Encrypted network traffic interception and inspection |
US9118700B2 (en) | 2010-06-18 | 2015-08-25 | Microsoft Technology Licensing, Llc | Encrypted network traffic interception and inspection |
CN102841795A (en) * | 2011-06-24 | 2012-12-26 | 镇江华扬信息科技有限公司 | Remote thread injection technology method |
JP2017022751A (en) * | 2012-10-19 | 2017-01-26 | インテル・コーポレーション | Encrypted data inspection in network environment |
US9959225B2 (en) | 2013-01-31 | 2018-05-01 | Mitsubishi Electric Corporation | Computer apparatus and control method of computer apparatus |
CN104956337A (en) * | 2013-01-31 | 2015-09-30 | 三菱电机株式会社 | Computer device and control method for computer device |
EP2953028A4 (en) * | 2013-01-31 | 2016-10-12 | Mitsubishi Electric Corp | Computer device and control method for computer device |
WO2014209359A1 (en) * | 2013-06-28 | 2014-12-31 | Hewlett-Packard Development Company, L.P. | Hook framework |
US10545775B2 (en) | 2013-06-28 | 2020-01-28 | Micro Focus Llc | Hook framework |
CN103902284A (en) * | 2014-03-07 | 2014-07-02 | 中国人民解放军装甲兵工程学院 | Data acquisition method and system based on dynamic library API interception |
CN104156481A (en) * | 2014-08-26 | 2014-11-19 | 北京软安科技有限公司 | Android encryption communication detection device and method based on dynamic linking library injection |
WO2016144304A1 (en) * | 2015-03-06 | 2016-09-15 | Hewlett Packard Enterprise Development Lp | Dynamic api management |
CN107103099A (en) * | 2017-05-26 | 2017-08-29 | 北京金山安全管理系统技术有限公司 | Main browser page return method and device |
CN107391219A (en) * | 2017-07-07 | 2017-11-24 | 腾讯科技(深圳)有限公司 | Function Compilation Method and device |
CN110221961A (en) * | 2019-04-26 | 2019-09-10 | 平安科技(深圳)有限公司 | Global hook self-repairing method, device, equipment and storage medium |
TWI739284B (en) * | 2020-01-20 | 2021-09-11 | 精品科技股份有限公司 | Console application control management method and system |
Also Published As
Publication number | Publication date |
---|---|
US8255931B2 (en) | 2012-08-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8255931B2 (en) | Method for implementing ejection-safe API interception | |
US7757218B2 (en) | Method of instrumenting code having restrictive calling conventions | |
US10032024B2 (en) | System and method for virtual partition monitoring | |
US9015676B2 (en) | Varying removal of internal breakpoints during debugging of code | |
US6708326B1 (en) | Method, system and program product comprising breakpoint handling mechanism for debugging and/or monitoring a computer instruction sequence | |
US5815702A (en) | Method and software products for continued application execution after generation of fatal exceptions | |
US7266844B2 (en) | Heuristic detection of polymorphic computer viruses based on redundancy in viral code | |
US20070113291A1 (en) | Method for administrating the function access | |
US6698016B1 (en) | Method for injecting code into another process | |
CN110603527B (en) | Method, system and apparatus for conditional debugging of server-side production code | |
US7162715B1 (en) | Method and apparatus for preemptive monitoring of software binaries by instruction interception and dynamic recompilation | |
US20060282827A1 (en) | Operating system loader modification | |
US20140289726A1 (en) | Function exit instrumentation for tail-call optimized code | |
US20080229141A1 (en) | Debugging method | |
US20040098639A1 (en) | Debugging kernel-loadable modules and suspending and replacing functions in non-microkernel operating systems | |
KR101011145B1 (en) | Device for injecting an application module, computing device having a function of injecting an application module and recoding medium recoding program for executing a method for injecting an application module | |
US20110265072A1 (en) | Dynamic Installation of Files for Running Programs | |
US8108840B2 (en) | Method for enhancing debugger performance of hardware assisted breakpoints | |
EP3128458B1 (en) | User-mode component injection and atomic hooking | |
US6957367B2 (en) | System and method for controlling activity of temporary files in a computer system | |
US5974249A (en) | Zero footprint method and apparatus for expanding allocated memory space of a process using a virtual memory area | |
US10521588B1 (en) | Dynamic analysis of malware that has evasion code | |
US20130117732A1 (en) | Technique to improve performance of software breakpoint handling | |
EP3223185A1 (en) | Dynamic code patching techniques from user-mode process address space | |
US8091096B1 (en) | Minimizing plug-in DLL repeat instantiation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FLORES, JOSE;REEL/FRAME:020505/0418 Effective date: 20080210 Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SANDOVAL, ANDREW L.;REEL/FRAME:020505/0410 Effective date: 20080201 |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KAPLAN, YARIV;REEL/FRAME:027285/0604 Effective date: 20080130 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, NEW YORK Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:027727/0144 Effective date: 20120215 Owner name: JEFFERIES FINANCE LLC, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:027727/0178 Effective date: 20120215 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENT COLLATERAL RECORDED AT R/F 027727/0178;ASSIGNOR:JEFFERIES FINANCE LLC, AS COLLATERAL AGENT;REEL/FRAME:029140/0170 Effective date: 20121016 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, AS COLLATERAL AGENT, NEW YO Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:030740/0181 Effective date: 20130628 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, AS THE COLLATERAL AGENT, NE Free format text: SECURITY INTEREST;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:035751/0348 Effective date: 20150522 |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENT COLLATERAL AT REEL/FRAME NO. 30740/0181;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:035797/0280 Effective date: 20150522 Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENT COLLATERAL AT REEL/FRAME NO. 27727/0144;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:035798/0006 Effective date: 20150522 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:039516/0929 Effective date: 20160801 |
|
AS | Assignment |
Owner name: SYMANTEC CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:039851/0044 Effective date: 20160801 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: CA, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SYMANTEC CORPORATION;REEL/FRAME:051144/0918 Effective date: 20191104 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |